Analysis
-
max time kernel
151s -
max time network
134s -
platform
windows7_x64 -
resource
win7-20231215-en -
resource tags
-
submitted
18/01/2024, 23:17
General
-
Target
2024-01-18_ba8ba3c729d8e921e332bac9f829a0fa_goldeneye.exe
-
Size
372KB
-
MD5
ba8ba3c729d8e921e332bac9f829a0fa
-
SHA1
d9f0a8ce1f4960db5d3f2e524c8cb178128b5289
-
SHA256
1b7dea6d3b542f8aed215499c4130e5a0d1313a9fa74b284290dbfdfb1434c62
-
SHA512
aee8440d6e19b823871a18c00cca9a87edc86088dfe28f9164eb9b26713573b8353960516f284d6cf0c0eceff11ef30991c59a24cbcd66c9f1eb6199289436cb
-
SSDEEP
3072:CEGh0ovlMOiNOe2MUVg3bHrH/HqOYGte+rcC4F0fJGRIS8Rfd7eQEcGcrTutTBfM:CEGNlkOe2MUVg3vTeKcAEciTBqr3
Malware Config
Signatures
-
Auto-generated rule 12 IoCs
-
Modifies Installed Components in the registry 2 TTPs 24 IoCs
-
Deletes itself 1 IoCs
-
Executes dropped EXE 12 IoCs
-
Drops file in Windows directory 12 IoCs
-
Suspicious use of AdjustPrivilegeToken 12 IoCs
-
Suspicious use of WriteProcessMemory 64 IoCs
Processes
-
C:\Users\Admin\AppData\Local\Temp\2024-01-18_ba8ba3c729d8e921e332bac9f829a0fa_goldeneye.exe"C:\Users\Admin\AppData\Local\Temp\2024-01-18_ba8ba3c729d8e921e332bac9f829a0fa_goldeneye.exe"1⤵
- Modifies Installed Components in the registry
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\{34E3EB27-79B9-49a8-8292-E6F18516B910}.exeC:\Windows\{34E3EB27-79B9-49a8-8292-E6F18516B910}.exe2⤵
- Modifies Installed Components in the registry
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\{5D48C093-2609-4af8-ADDD-B97596301918}.exeC:\Windows\{5D48C093-2609-4af8-ADDD-B97596301918}.exe3⤵
- Modifies Installed Components in the registry
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\{7D5EE1EA-DDF5-4aa7-BDDB-2DE66DCC9B57}.exeC:\Windows\{7D5EE1EA-DDF5-4aa7-BDDB-2DE66DCC9B57}.exe4⤵
- Modifies Installed Components in the registry
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\{78CDA7EF-0D6D-4dd4-94B5-C2EF0F8AF6B7}.exeC:\Windows\{78CDA7EF-0D6D-4dd4-94B5-C2EF0F8AF6B7}.exe5⤵
- Modifies Installed Components in the registry
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\{39A9442E-06C6-4ab4-933B-67149A473D8E}.exeC:\Windows\{39A9442E-06C6-4ab4-933B-67149A473D8E}.exe6⤵
- Modifies Installed Components in the registry
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\{620613FF-9A6F-4ab4-A4F3-5F9945DB7B0B}.exeC:\Windows\{620613FF-9A6F-4ab4-A4F3-5F9945DB7B0B}.exe7⤵
- Modifies Installed Components in the registry
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\{EE971E89-D9D2-4caa-B4F2-9C935B5A35CF}.exeC:\Windows\{EE971E89-D9D2-4caa-B4F2-9C935B5A35CF}.exe8⤵
- Modifies Installed Components in the registry
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\{2DE240A7-646D-4ceb-BA7C-43EF463C5247}.exeC:\Windows\{2DE240A7-646D-4ceb-BA7C-43EF463C5247}.exe9⤵
- Modifies Installed Components in the registry
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\{DE82F364-C08A-4105-ACFB-D419633D9447}.exeC:\Windows\{DE82F364-C08A-4105-ACFB-D419633D9447}.exe10⤵
- Modifies Installed Components in the registry
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\{6698A3E6-711C-44fb-BCF2-83129E8FFF9B}.exeC:\Windows\{6698A3E6-711C-44fb-BCF2-83129E8FFF9B}.exe11⤵
- Modifies Installed Components in the registry
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\{DC39358B-D14F-44d3-97A9-010ECF47FF33}.exeC:\Windows\{DC39358B-D14F-44d3-97A9-010ECF47FF33}.exe12⤵
- Modifies Installed Components in the registry
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\{B65F18C0-5FE9-47c5-AACD-6D7639D9D54C}.exeC:\Windows\{B65F18C0-5FE9-47c5-AACD-6D7639D9D54C}.exe13⤵
- Executes dropped EXE
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c del C:\Windows\{DC393~1.EXE > nul13⤵
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c del C:\Windows\{6698A~1.EXE > nul12⤵
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c del C:\Windows\{DE82F~1.EXE > nul11⤵
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c del C:\Windows\{2DE24~1.EXE > nul10⤵
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c del C:\Windows\{EE971~1.EXE > nul9⤵
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c del C:\Windows\{62061~1.EXE > nul8⤵
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c del C:\Windows\{39A94~1.EXE > nul7⤵
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c del C:\Windows\{78CDA~1.EXE > nul6⤵
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c del C:\Windows\{7D5EE~1.EXE > nul5⤵
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c del C:\Windows\{5D48C~1.EXE > nul4⤵
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c del C:\Windows\{34E3E~1.EXE > nul3⤵
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c del C:\Users\Admin\AppData\Local\Temp\2024-0~1.EXE > nul2⤵
- Deletes itself
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
372KB
MD5cbeab6353a1787143849d50b0d882e6c
SHA1b3760a8e8073ee1e670bb86d239e9bf98cc335f2
SHA256de928b67bd7946f75293e34b802a7ff2a2b9ab2f47f56aeb3bbac37bb275434d
SHA51225cc9b9d354428aa48cb353c70d6c77d519452d8e031e3ef78d313f47ef1bc41626993d4393cc7426c4e949d935911c39564e7d087188869d89fb649569ed25f
-
Filesize
372KB
MD580a952090692cd8b6fd2587b7bc7b216
SHA1e2fe0c4c4d1c2dd08a5f2c49aec7de36b6cb7e2b
SHA256c57d19e1d35c3323dae5559ae1dfe35736a1ef89acf38d139c8b018bb7afa158
SHA512321adcb06a5c5e71722cd216f76bd2c3bac81a48dffd1d1539ed3c29f701cf1db81e9286240fe05ebf86d0e7cb1e70951552abf89ca021e3370076c41a11fe84
-
Filesize
372KB
MD5a8f7c1891502626a2ece57b8d53f83ee
SHA17bd60052650b8038af6bdf3876294c6889808bb0
SHA256854ad2b331b94a3ad7b4ce410fb57f9baa408e3e98950ded593e1263a0a1b462
SHA512c1ebf48a9f37fc1645193439fb88c82958b43fe7f4cf5f4e0c144de568376ab423210a787f6be93462b443c49c510ad938e880d5e8715a175bfdee0a85f4a803
-
Filesize
372KB
MD5e8a667b0428bf6bfa6f4d364ca800351
SHA1ca463426788d9709d3c3b2cf032ef28cdd744236
SHA256c04f36c2c852930bb51bb4790f87c1977866c143c8920b53402474f6e0acf2b2
SHA512e449bcf69050f12f733015dd938bc707ce3ea82ff27324299b451a9baa6bc22971c9eae029ecc323a00186a54a5462a110f105d8370ea50b8e0f60e74caa36f4
-
Filesize
372KB
MD5de141bf2abe6bc04336233651c554557
SHA1838f53a2f930ca0e85d15dd1e8cc6b17f37dbdd1
SHA25610f37079311d930e8b9417a0065795b5081be7def16dcd27528da7ef99440f38
SHA512ddadbc9dff3f135cec16cbf00bab17c4737f6b94dbfbe0f91948ab661107da6319af2ef3ea36427fb0f5a62246ff5cdbc46b05d650916adcf0a1ae798efc11f4
-
Filesize
372KB
MD5125367795330c2db5cc75c60abc5a518
SHA109f1c06b580441f5a3cc808b925643745f7c1406
SHA2567d6402df66c1b175bf51e305138be163c2957c4ca7ec4e23e9934506ec7c719f
SHA5121597ca624161a1dfebcac57abdcc710c2200a043b2529e4fce1e728b86bdc711e208a20902f99fd25a0ae0488019776a6790cd45778e47a7ebf09058b227c9bd
-
Filesize
372KB
MD5fcc044172e6cff1370a3018f7ce85286
SHA1a8a681644577d0e35e92b361100f47909f91a200
SHA25640da54346c6129607d62b6d48a9279e842c54e66ff7b6953cb9d378d3ca42d30
SHA512e221c479eebd24126d2f810def4a02fe0264f3fbfe364ce8c705194595ca9571b8bade47e2bfbbd41f7f9b3b9182ec9090644c1148eedb3ffda38a8021c0ef20
-
Filesize
372KB
MD58fcba6bdc12f542480b9f4b260e006a3
SHA19c712b62f6c3bd919df33ab8c00ef757afcff271
SHA256aaada3d41f559f1da6caf67a39600d868e10cd883ee93cdbf00af8cc19045319
SHA512d8115be8406a07aef2b572e892eddf19b6f70d0daf8e70bf5d61bfc2e2f38751f30296ffe3f8f2d9f4f6b27db96cfd138b607bac203be2b348f746c7d386c97c
-
Filesize
372KB
MD55e18d1aa4e78ca0b3e3c4a4c1db01bf6
SHA18204cc0e8604208327e1475c1b5e45c65b867d40
SHA256547b8defbacd0cc99115bd79741a30c87f2898e7053cc98eac38fab8cb5feb24
SHA5121abaf810967a5b5e6780bc766253a5d3bb22cf31a8e177f3ed7d62b9103cd85318aca9bb37273fa78f5592085e99b15a4cd08a215d12949296f5123c3f10ddb9
-
Filesize
372KB
MD53550cd8ad1d377f43b8c6143c0a13155
SHA1964ac39362dcd7d569914655720ece4f4b516a8a
SHA256fcaec7be1e9fc7711f86f201dc089f9b6579955d9facec38b0fedeb8da9d340b
SHA512d1303a83779c1e8d6fc698f7cb1d0fb9a11f786c7c33000d6a57a5333bfd5e99805decc6f9004e230bb8dfdf09c6b4e863fd147738ed455a823441f240e45c18
-
Filesize
372KB
MD5a58b1fcab8cc3a8e1c111ca5255af454
SHA186d7d1c30d03ab7f117ad022c4b5835416cfa967
SHA2564cce5b7c843da8728b0ef7cc401f151d40e585ccfd92588cc3f68fe568d01ce6
SHA512955cd84d0b42f784ffbbff9725bd5d7a9046ef7eb2475f68ce58b2f477e4865e28bb081495da4842a3c8d31de31f548cda5834f7e54b846edfba29ca15fed32e
-
Filesize
372KB
MD5f001f721400d807c377adebb4ca385d0
SHA13fadb35f1cc8108f1ee1ee58098b43bb99988823
SHA256827cc1588af03637a8e300812e4693f4f3c1d4e4d72ffd6d6149aa1eb5d826de
SHA5122054fae05c63f6115fdd2c010bcea58fd2b48fa559b50c545cf7d2ecf7366041de0780c6a141ae33a3579d8b0fbf8a887b8eba3fa65cce53d3f393ac10aefd34